Security Advisory

SSH – Non-Unique SSH Host Key
Published: Wednesday, November 6th, 2019
Last Update: Wednesday, November 6th, 2019

Multiple ACOS release families use hardcoded SSH host keys to support SSH management access for ACOS systems. A remote attacker could exploit this vulnerability to conduct man-in-the-middle attacks by leveraging knowledge of these keys from other ACOS installations to decrypt confidential information on ACOS remote, CLI management connections.

An affected A10 system is only exposed to exploitation of this vulnerability if it is configured to use the system’s default, SSH host key; without the SSH host key having been previously regenerated for the system. The following vulnerability items are addressed in this document.

Item # Vulnerability ID Score Source Score Summary
1 A10-2018-0016 CVSS 3.0 5.9 Medium Non-Unique ACOS SSH Mgmt Host Key
Affected Releases

The table below indicates releases of ACOS exposed to these vulnerabilities and ACOS releases that address them. ACOS release families not indicated below are unaffected by these vulnerabilities.

Customers using affected ACOS releases can overcome vulnerability exposures by updating to the indicated resolved release. If the table does not list a corresponding resolved or unaffected release, then no ACOS release update is currently available.

Releases Affected(a) Releases Resolved or Unaffected

3.1.0 – 3.1.4-Px

3.2.2, 3.2.3, 3.2.4 (c)

2.8.2 – 2.8.2-P9

2.8.2-P10 (b), 4.1.2, 4.1.4-GR1, 5.0.0 (c)

2.7.2 – 2.7.2-P11

2.7.2-P12 (b), 4.1.0, 4.1.1, 4.1.4-GR1, 5.0.0 (c)

2.7.1-GR1 – 2.7.1-GR1-Px

2.7.2-P12 (b), 4.1.0, 4.1.1, 4.1.4-GR1, 5.0.0 (c)

2.6.1-GR1 – 2.6.1-GR1-Px

2.7.2-P12 (b), 4.1.0, 4.1.1, 4.1.4-GR1, 5.0.0 (c)

(a) A10 systems manufactured with ACOS versions including and after 2.7.2-P12, 2.8.2-P10, and 3.2.2 are unaffected by this vulnerability; even if they have been downgraded to an affected ACOS versions.

(b)Upgrading an affected A10 system to 2.7.2-P12 or 2.8.2-P10 will remediate this vulnerability, with no further actions required.

(c) Upgrading an affected A10 system to ACOS 3.2.x, 4.1.x, 5.0.0, or later release families will necessitate regeneration of the SSH host key to enable the updated and unique host key on the A10 device. Regenerating the SSH host key prior to the upgrade is recommended, by issuing the “sshd key regenerate” CLI command.

Releases Affected Releases Resolved or Unaffected
Workarounds and Mitigations

Regenerate the SSH host key on the ACOS system to overcome exposure to this vulnerability. The SSH host key for remote CLI management services can be regenerated by:

  1. issuing the "sshd key regenerate" the ACOS CLI command
Software Updates

Software updates that address these vulnerabilities are or will be published at the following URL:

Vulnerability Details

The following table shares brief descriptions of the vulnerabilities addressed in this document.

Vulnerability ID Vulnerability Description

ACOS 3.1.x, 2.8.2, 2.7.2, 2.7.1-GR1, and 2.6.1-GR1 use non-unique SSH host keys, which might allow remote attackers to defeat cryptographic protection mechanisms and conduct man-in-the-middle attacks by leveraging knowledge of these keys from another installation.

Related Links
The following table shares brief descriptions for the vulnerabilities addressed in this document.
Ref # General Link
[1] CERT CC Vulnerability Note - VU#566724


Modification History
Revision Date Description
1.0 Wednesday, November 6th, 2019

Initial Publication

© Copyright 2019 A10 Networks, Inc. All Rights Reserved.

This document is provided on an "AS IS" basis and does not imply any kind of guarantee or warranty, including the warranties of merchantability, non-infringement or fitness for a particular use. Your use of the information in this document or materials linked from this document is at your own risk. A10 Networks, Inc. reserves the right to change or update the information in this document at any time.